A security researcher has discovered a “bug” in Symantec antivirus software, which affects “the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products.” I say “bug” because it’s less bug, and more a gaping security flaw that makes it incredibly easy to hack any PC, Mac or Linux box running Symantec software.
The flaw (spotted by The Register) was found by Tavis Ormandy, a white-hat hacker whose previous work has involved hacking internet-connected scales. The Symantec bug is to do with how the antivirus engine scans code, in particular an old compression tool.
The result is that if a hacker sends a carefully formatted file via email (or just a web link), all the target computer has to do is receive and scan the email — the user doesn’t even have to open the file or link. The hacker then gets root access to the target computer, meaning he owns the machine. As Ormandy succinctly put it, “this is about as bad as it can possibly get.”
Symantec is aware of the bug, and there’s already a fix being pushed. If you use Symantec or Norton antivirus, you should run the Live Update tool, and check for patches.
The flaw itself is due to a buffer overflow, the same kind of programming bug that caused the infamous Heartbleed Bug. But what makes this particular flaw dangerous isn’t the bug itself, it’s where in the system the code is unpacked. On Windows machines, Symantec is unpacking potential malware directly into the kernel, which as one Twitter user pointed out, is a really bad idea:
Inspecting malicious code in the kernel? That's like the bomb squad bringing a suspicious package into a kindergarten to open it. CC @taviso
— Patrick Gray (@riskybusiness) May 17, 2016
What lessons can we learn from this? Well, as any compsci professor would probably explain, suspicious code should be examined in a walled-off sandbox, not the system kernel. For non-programmers, the lesson is much simpler: uninstall Norton or Symantec, get better about not opening suspicious files, and please, remember to do your backups.